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Abstract. The problem of computing Craig interpolants in SAT and SMT has recently 
received a lot of interest, mainly for its applications in formal verification. Efficient al- 
gorithms for interpolant generation have been presented for some theories of interest — 
including that of equality and uninterpreted functions (£UJ-), linear arithmetic over the 
rationals (£.4(Q)), and their combination — and they are successfully used within model 
checking tools. For the theory of linear arithmetic over the integers (£_4(Z)), however, the 
problem of finding an interpolant is more challenging, and the task of developing efficient 
interpolant generators for the full theory £A(Z) is still the objective of ongoing research. 
In this article we try to close this gap. We build on previous work and present a novel 
interpolation algorithm for SMT(£.4(Z)), which exploits the full power of current state- 
of-the-art SMT(£.4(Z)) solvers. We demonstrate the potential of our approach with an 
extensive experimental evaluation of our implementation of the proposed algorithm in the 
MathSAT SMT solver. 



Given two formulas A and B such that A A B is inconsistent, a Craig interpolant (simply 
"interpolant" hereafter) for (A, B) is a formula I s.t. A entails /, I AB is inconsistent, and 
all uninterpreted symbols of / occur in both A and B. 

Interpolation in both SAT and SMT has been recognized to be a substantial tool for 
formal verification. For instance, in the context of software model checking based on counter- 
example-guided-abstraction-refinement (CEGAR) interpolants of quantifier-free formulas 
in suitable theories are computed for automatically refining abstractions in order to rule 
out spurious counterexamples. Consequently, the problem of computing interpolants in 
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SMT has received a lo t of interest in the last years ( e.g., [Mc MQ5j IRSS101 IYM051 IKMZ061 
ICGS101 IJCG081 ILT081 lFGG+09[ IGKT091 IBKRW101 IKLRlOj ) . In the recent years, efficient 
algorithms and tools for interpolant generation for quantifier-free formulas in SMT have 
been presented for some theories of interest, including that of equality and uninterpreted 
functions [EUT) |McM051IfGG + 09| . linear arithmetic over the rationals (CA(Q)) |McM051 
IRSSlOllCUSlO] , fixed-w idth bit-vectors |KW07l iGnTT] . and for combined theories [YM051 
IRSS101 TCGSICH [GKT09 . and they are successfully used within model-checking tools. 

For the theory of linear arithmetic over the integers (£A(Z)), however, the problem 
of finding an interpolant is more challenging. In fact, it is not always possible to obtain 
quantifier-free interpolants starting from quantifier-free input formulas in the standard sig- 
nature of CA{1i) (consisting of Boolean connectives, integer constants and the symbols 
+,-,<,=) |McM05| . For instance, there is no quantifier-free interpolant for the CA{1i)- 

formulas A = (2x - y + 1 = 0) and B = (y-2z = 0). 

In order to overcome this problem, different research directions have been explored. 
One is to restrict to important fragments of CA{"L) where the problem does not occur. To 
this extent, efficient interpolation algorithms for the Difference Logic (T>jC) and Unit-Two- 
Variables- Per-Inequality (JATVVZ) fragments of CA(Z) have been proposed in [CGSlOj . 
Another direction is to extend the signature of CA{1<) to contain modular equalities = c (or, 
equivalently, divisibility predicates), so that it is possible to compute quantifier-free LA(7fc) 
interpolants by means of quantifier elimination — which is however prohibitively expensive in 
general, both in theory and in practice. For instance, / = (— y+1 =2 0) = 3x.(2x—y+l = 0) 
is an interpolant for the formulas (^4, B) above. Using modular equalities, Jain et al. 
[JCG08] developed polynomial-time interpolation algorithms for linear equations and their 
negation and for linear modular equations. A similar algorithm was also proposed in |LT08| . 
The work in [BKRWIOj was the first to present an interpolation algorithm for the full CA{1<) 
(augmented with divisibility predicates) which was not based on quantifier elimination. 
Finally, an alternative algorithm, exploiting efficient interpolation procedures for jCA(Q) 
and for linear equations in CA{"L), has been presented in [KLR10] . 

The obvious limitation of the first research direction is that it does not cover the full 
CA(Z). For the second direction, the approaches so far seem to suffer from some drawbacks. 
In particular, some of the interpolation rules of [BKRWIOj might result in an exponential 
blow-up in the size of the interpolants wrt. the size of the proofs of unsatisfiability from 
which they are generated. The algorithm of |KLR10| avoids this, but at the cost of signifi- 
cantly restricting the heuristics commonly used in state-of-the-art SMT solvers for £A(Z) 
(e.g. in the framework of [KLRlOj both the use of Gomory cuts [Sch86j and of "cuts from 
proofs" [DDA09) is not allowed) . More in general, the important issue of how to efficiently 
integrate the presented techniques into a state-of-the-art SMT(CA(1i)) solver is not imme- 
diate to foresee from the papers. 

In this article we try to close this gap. After recalling the necessary background knowl- 
edge (^2]), we present our contribution, which is twofold. 

First (g3j) we show how to extend the state-of-the art £.4(Z)-solver of MathSAT [Gril2j 
in order to implement interpolant generation on top of it without affecting its efficiency. 
To this extent, we combine different algorithms corresponding to the different submodules 
of the £.4(Z)-solver, so that each of the submodules requires only minor modifications, 
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and implement them in MathSAT (MathSAT-modEq hereafter). An extensive empir- 
ical evaluation ($5]) shows that MathSAT-modEq outperforms in efficiency all existing 
interpolant generators for £_4(Z). 

Second O, we propose a novel and general interpolation algorithm for CA(Z), inde- 
pendent from the architecture of MathSAT, which overcomes the drawbacks of the current 
approaches. The key idea is to extend both the signature and the domain of CA(Z): we 
extend the signature by adding the ceiling function [•] to it, and the domain by allowing 
non-variable terms to be non-integers. This greatly simplifies the interpolation procedure, 
and allows for producing interpolants which are much more compact than those generated 
by the algorithm of [BKRWfO] . Also this novel technique was easily implemented on top of 
the £.4(Z)-solver of MathSAT without affecting its efficiency. (We call this implementa- 
tion MathSAT-ceil.) An extensive empirical evaluation (S}5]) shows that MathSAT-ceil 
drastically outperforms MathSAT-modEq, and hence all other existing interpolant gener- 
ators for CA{Z), for both efficiency and size of the final interpolant. 

Finally, in £}6]we report some related work, and in £j7]we present some conclusions. We 
recall that a shorter version of this article appeared at TACAS 2011 conference [GLSllj . 

2. Background: SMT(CA{Z)) 

We first provide the necessary background. We will use the following notational conventions: 

• We denote formulas with A, B, S, I, <p, T. 

• Given a formula ip partitioned into A and B, the variables in ip are denoted with x, y, z, 

S, V, Xi, yj, Zk, s h , Vf. 

— Xi for variables that occur only in A (A- local); 

— Zk for variables that occur only in B (i?-local); 

— yj for variables that occur both in A and in B (AB-common); 

— vi when we don't want to distinguish them as in the above cases. 

• We denote integer constants with a, b, c, d. 

• We denote terms with t\,t2- We write t\ = t2 to denote that the two terms are syntacti- 
cally identical, and t\ = c t2 to denote that they are congruent modulo c. With ip\ = ip2 
we denote the logical equivalence of the two formulas <p\ and <p2- 

• We write t ^ A to denote that all the uninterpreted symbols occurring in t occur also in 
A. In this case, we say that t is A-puie. Given two formulas A, B such that t ^ (AU B) 
but t ^ A and t j( B, we say that t is AB-mixed. 

2.1. Generalities. In this section we provide some background on SMT ( §2.1.ip and on 
interpolation in SMT (g2T2j). 

2.1.1. Satisfiability Modulo Theory - SMT. Our setting is standard first order logic. We use 
the standard notions of theory, satisfiability, validity, logical consequence. A 0-ary function 
symbol is called a constant. A term is a first-order term built out of function symbols 
and variables. If ti,...,t n are terms and p is a predicate symbol, then p(t±, . . . ,t n ) is an 
atom. A literal is either an atom or its negation. A formula 4> is built in the usual way 
out of the universal and existential quantifiers, Boolean connectives, and atoms. We call a 
formula quantifier-free if it does not contain quantifiers, and ground if it does not contain 
free variables. A clause is a disjunction of literals. A formula is said to be in conjunctive 
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normal form (CNF) if it is a conjunction of clauses. For every non-CNF T-formula ip, an 
equisatisfiable CNF formula ip can be generated in polynomial time [Tse68j . 

We call Satisfiability Modulo (the) Theory T, SMT(T), the problem of deciding the 
satisfiability of quantifier- free formulas wrt. a background theory T. El Given a theory T, 
we write cp \=j- ip (or simply cp \= ip) to denote that the formula ip is a logical consequence 
of <p in the theory T. With cp ■< ip we denote that all uninterpreted (in T) symbols of (p 
appear in ip. If C is a clause, C J, B is the clause obtained by removing all the literals whose 
atoms do not occur in B, and C\B that obtained by removing all the literals whose atoms 
do occur in B. With a little abuse of notation, we might sometimes denote conjunctions of 
literals l± A . . . A l n as sets {Zi, . . . , l n } and vice versa. If 7/ is the set {Zi, . . . , /„,}, we might 
write -ir/ to mean -iZj V ... V -iZ n . 

We call T-solver a procedure that decides the consistency of a conjunction of literals 
in T. If S is a set of literals in T, we call T- conflict set w.r.t. S any subset 77 of S which is 
inconsistent in T. We call -177 a T -lemma (notice that -17/ is a T- valid clause). 

A standard technique for solving the SMT(T) problem is to integrate a DPLL-based 
SAT solver and a T-solver in a lazy manner (see, e.g., [BSST09] for a detailed description). 
DPLL is used as an enumerator of truth assignments for the propositional abstraction of 
the input formula. At each step, the set of T-literals in the current assignment is sent to 
the T-solver to be checked for consistency in T. If S is inconsistent, the T-solver returns a 
conflict set 7/, and the corresponding T-lemma -17/ is added as a blocking clause in DPLL, 
and used to drive the backjumping and learning mechanism. 

Definition 2.1 (Resolution proof). Given a set of clauses S = {C\, . . . , C n } and a clause 
C, we call a resolution proof of the deduction C% \=j- C a DAG V such that: 

(1) C is the root of V; 

(2) the leaves of V are either elements of S or T-lemmas; 

(3) each non-leaf node C has two premises C Pl and C P2 such that C Pl == p V (pi, C P2 == 
->p V (p^i and C = 0i V 02- The atom p is called the pivot of C Pl and C P2 . 

If C is the empty clause (denoted with _L), then V is a resolution proof of (T-)unsatisfiability 

for a* a. 

2.1.2. Interpolation in SMT. We consider the SMT(T) problem for some background theory 
T. Given an ordered pair (A, B) of formulas such that A A B \=j- _L, a Craig interpolant 
(simply "interpolant" hereafter) is a formula / s.t. 

(ii) I A B is T- inconsistent, and 
(hi) I < A and I <B. 

Following [McM05| . an interpolant for (i,B) in SMT(T) can be generated by combining a 
propositional interpolation algorithm for the Boolean structure of the formula A A B with a 
T-specific interpolation procedure that deals only with negations of T-lemmas (that is, with 
T-inconsistent conjunctions of T-literals), as described in Algorithm I2.2L The algorithm 
works by computing a formula Iq for each clause in the resolution refutation, such that the 
formula I± associated to the empty root clause is the computed interpolant. Therefore, in 



The general definition of SMT deals also with quantified formulas. Nevertheless, in this article we restrict 
our interest to quantifier-free formulas. 
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-.(-y + 3x - 1 < 0) V -.(-y - x < 0)V 
-.(-Z + 2y + 3 < 0) V -n(2z - 1 < 0) 

\ -.(-2 + 2y + 3 < Q) V (2z - 1 < 0) 

\ / 
^(-y + 3x - 1 < 0) V -.(-3/ - x < Q)V 

-(-z + 2t/ + 3 < 0) pV (-z + 2y + 3<0) 

\ / 
-■(— J) + 3.x - 1 < 0) V - ,r < 0) Vp 

pV(-j/ + 3i-l<0) / 
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-.(-y - x < 0) V q 



(-y-x< 0) 



-?V+i/-i<0) 



-.(-j/ -i < o) 



(a) 



(-4y-l<0) 



(-4J, - 1 < 0) 



(-4s/ - 1 < 0) 



p V (-4y - 1 < 0) 



pV (-41/ - 1 < 0) 



_L OV(-4s/-l<0))A^ 



(p V (-4,1/ - 1 < 0)) A -.g 



(b) 



Figure 1: Resolution proof of unsatisfiability (a) and interpolant (b) for the pair (A, B) 
of formulas of Example 12.31 In the tree on the left, T-lemmas are displayed in 
boldface, and clauses from A are underlined. 



the rest of the article, we shall consider algorithms for conjunctions/sets of literals only, 
which can be extended to general formulas by simply "plugging" them into Algorithm 12.21 



Algorithm 2.2. Interpolant generation for SMT(T) 



(1) Generate a resolution proof of unsatisfiability V for A A B. 

(2) For every T-lemma —irj occurring in V, generate an interpolant for (r]\B,rj \, B). 

(3) For every input clause C in V, set Iq = C I B if C € A, and Ic = T if C € B. 

(4) For every inner node CofV obtained by resolution from C\ = f pV (f>\ and Ci = ~<pV(j>2j 

set Ic = Ici V IC2 ^ P does not occur in B, and Ic = Ic\ A Ic 2 otherwise. 

(5) Output I± as an interpolant for (A,B). 



Example 2.3. Consider the following two formulas in CA(Q): 

A = (p V (-y + 3x - 1 < 0)) A (-y - x < 0) A (->q V -.(-j/ - x < 0)) 

£ = f (-.(-a + 2y + 3 < 0) V (2z - 1 < 0)) A (-ip V g) A (p V (-* + 2y + 3 < 0)) 

Figure HJa) shows a resolution proof of unsatisfiability for A A B, in which the clauses 
from A have been underlined. The proof contains the following £yl(Q)-lemma (displayed 
in boldface): 

->(-y + 3x - 1 < 0) V -.(-y - x < 0) V -i(-z + 2y + 3 < 0) V ^(2z - 1 < 0). 

Figure [TJ^b) shows, for each clause Oj in the proof, the formula I@ i generated by Algo- 
rithm [2]2j For the >£A(Q)-lemma, it is easy to see that (— 4y — 1 < 0) is an interpolant for 
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Figure 2: Architecture of the £.4(Z)-solver of MathSAT. 



((-y + 3x - 1 < 0) A (-y - x < 0), (-z + 2y + 3 < 0) A (2z - 1 < 0)) as required by Step 2 



of the algorithm. Therefore, I± = (p V (— 4y — 1 < 0)) A -<q is an interpolant for (^4, B). 



2.2. Efficient SMT(£^4(Z)) solving. In this section, we describe our algorithm for ef- 
ficiently solving SMT(£.4,(Z)) problems, as implemented in the MathSAT 5 SMT solver 
[Gril2j . They key feature of our solver is an extensive use of layering and heuristics for 
combining different known techniques, in order to exploit the strengths and to overcome 
the limitations of each of them. Both the experimental results of |Gril2| and the SMT 
solvers competition SMT-COMP'10 demonstrate that this is a state-of-the-art solver in 
SMT (£4(Z)). 

The architecture of the solver is outlined in Fig. [2j It is organized as a layered hierarchy 
of submodules, with cheaper (but less powerful) ones invoked earlier and more often. The 
general strategy used for checking the consistency of a set of £.4(Z)-constraints is as follows. 

First, the rational relaxation of the problem is checked, using a Simplex-based £A(<Q)- 
solver similar to that described in |DdM06| . If no conflict is detected, the model returned 
by the £.A(Q)-solver is examined to check whether all integer variables are assigned to an 
integer value. If this happens, the CA(Q)-model is also a £.4.(Z)-model, and the solver can 
return SAT. 

Otherwise, the specialized module for handling linear £A(Z) equations (Diophantine 
equations) is invoked. This module is similar to the first part of the Omega test described 
in |Pug91| : it takes all the equations in the input problem, and tries to eliminate them by 
computing a solution of the system and then substituting each variable in the inequalities 
with its expression. If the system of equations itself is infeasible, this module is also able 
to detect the inconsistency, and to produce one unsatisfiability proof expressed as a linear 
combination of the input equations (see |Gril2| for details). Otherwise, the inequalities 

^http ": //www . smtcomp . org/2010/ 1 
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obtained by substituting the variables with their expressions are normalized, tightened 
and then sent to the £*4(Q)-solver, in order to check the £„4(Q)-consistency of the new set 
of constraints. 

If no conflict is detected, the branch and bound module is invoked, which tries to 
find a £,A(Z)-solution via branch and bound |Sch86| . This module is itself divided into 
two submodules operating in sequence. First, the "internal" branch and bound module is 
activated, which performs case splits directly within the £*4(Z)-solver. The internal search 
is performed only for a bounded (and small) number of branches, after which the "external" 
branch and bound module is called. This works in cooperation with the DPLL engine, using 
the "splitting on-demand" approach of |BNOT06] : case splits are delegated to DPLL, by 
sending to it £.4(Z)-valid clauses of the form (t — c < 0) V(— t+c+1 < 0) (called branch-and- 
bound lemmas) that encode the required splits. Such clauses are generated with the "cuts 
from proofs" algorithm of |DDA09| : "normal" branch-and-bound steps - splitting cases on 
an individual variable - are interleaved with "extended" steps, in which branch-and-bound 
lemmas involve an arbitrary linear combination of variables, generated by computing proofs 
of unsatisfiability of particular systems of Diophantine equations. 

3. From £„4(Z)-solving to £„4(Z)-interpolation 

Our objective is that of devising an interpolation algorithm that could be implemented on 
top of the £„4(Z)-solver described in the previous section without affecting its efficiency 
To this end, we combine different algorithms corresponding to the different submodules of 
the £*4(Z)-solver, so that each of the submodules requires only minor modifications. 

3.1. Interpolation for Diophantine equations. We first consider only conjunctions of 
positive £^4(Z)-equations in the form ^ a\V\ + c = 0. We recall a fundamental property of 
CA(Z). 

Property 3.1. The equation Yli a i v i + c = is unsatisfiable in CA(Z) if the GCD of the 

coefficients ai does not divide the constant c. 

An interpolation procedure for systems of Diophantine equations was given by Jain 
et al. in |JCG08| . The procedure starts from a proof of unsatisfiability expressed as a 
linear combination of the input equations whose result is an £>i(Z)-inconsistent equation 
as in Property 13.11 Given one such proof of unsatisfiability for a system of equations 
partitioned into A and B, let (X^eAnB ^i^Yly^B bjUj + c = 0) be the linear combination 
of the equations from A with the coefficients given by the proof of unsatisfiability. Then, 
j dof Y2 x . e A nB (HXi + c = g 0, where g is any integer that divides GCD({bj} y .gB), is an 
interpolant for (A,B) |.T(X;08j . 

Example 3.2. Consider the following interpolation problem for the set of equalities 

A = (-2/1 - 2/2 - %3 + x x + 2 = 0) A (-2/3 - xx + x 2 = 0) A (-n - 2x 2 + 1 = 0) 

B = (72/i + 122/ 2 + 312/3 + 10*! - 17 = 0) 

^An £„4(Z)-inequality aivi + c < can be tightened by dividing the constant c by the GCD g of the 
coefficients, taking the ceiling of the result, and then multiplying it again by g: ^2 t aivi + |~^] • g < 0, s.t. 

g^GCD({a,}i). 
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One unsatisfiability proof expressed as a linear combination of the input equations is the 
following: 

7.(-yi - yi - 4t/ 3 + xi + 2 = 0) 7yi + 12y 2 + 31y 3 + lOzi - 17 = 
3.(-Vs - X! +x 2 = 0) 5y 2 + 3y~s + 7xi + Wxi -3 = 

4.(-xi - 2x 2 + 1 = 0) 5y 2 + ixi + 3x 2 + loii -3 = 

5y 2 - 5x 2 + 10zi + 1 = 

By property 13.11 the root equation 5?/2 — 5^2 + 10zi + 1 = is £„4(Z)-inconsistent since 
GCD({5,5, 10}) = 5 does not divide 1. The proof combines three equations from A with 
coefficients 7, 3 and 4 respectively. Considering only these equations □ we have: 

7-(-yi - y 2 - 4y 3 + Xl + 2 = 0) 
3. (-1/3 - H + K 2 = 0) -7yi - 7y 2 - 28y 3 + 7xi + 14 = 
4.(-xi - 2aj 2 + 1 = 0) -7i/i - 7j/ 2 - 31t/ 3 + 4xi + 3x 2 + 14 = 

-7yi - 7t/ 2 - 31j/ 3 - 5^2 + 18 = 



Then, I = f — 7yi — 7^2 — 31 2/3 + 18 =5 0, is an interpolant for (A, B). 

Jain et al. show that a proof of unsatisfiability can be obtained by computing the 
Hermite Normal Form [Sch86j of the system of equations. However, this is only one possible 
way of obtaining such proof. In particular, as shown in [Gril2| , the submodule of our £A(Z,)- 
solver that deals with Diophantine equations can directly produce proofs of unsatisfiability 
expressed as a linear combination of the input equations. Therefore, we can apply the 
interpolation algorithm of |JCG08| without any modification to the solver. 



3.2. Interpolation for inequalities. The second submodule of our jC*4(Z)-solver checks 
the £*4(Q)-consistency of a set of inequalities, some of which obtained by substitution and 
tightening |Gril2| . In this case, we produce interpolants starting from proofs of unsatisfia- 
bility in the cutting-plane proof system, a complete proof system for CA(Z), which is based 
on the following rules [Sch86]: 

(1) Hyp — ^ if (t < 0) is in the input set of £*A(Z)-atoms 

(2) Comb {t '- 0) (t2 ~ 0) where: Cl ,c 2 > 

(citi + c 2 i2 < 0) 

(V\ CiVi _|_ c < 0) 

(3) Strengthen % % — where d > is an integer that divides all the Cj's. 

(EiWi + d - <0) 

(Notationally, hereafter we omit representing the Hyp rule explicitly, writing its implied 
atom as a leaf node in a proof tree; moreover, we often omit the labels "Comb".) 



or, alternatively, substituting all equations in B with the "true" equation = 0. 
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3.2.1. Generating cutting-plane proofs in the CA(Z) -solver. The equality elimination and 
tightening step generates new inequalities (t' + d + k < 0) starting from a set of input 
equalities {e\ = 0, . . . , e n = 0} and an input inequality (t + c < 0). Thanks to its proof- 
production capabilities [Gril2j . we can extract from the Diophantine equations submodule 
the coefficients {ci, . . . , c„} such that (X^i c « e « + t + c < 0) = (t' + d < 0). Thus, we 
can generate a proof of (t' + d < 0) by using the Comb and Hyp rules. We then use the 
Strengthen rule to obtain a proof of (t' + d + k < 0). The new inequalities generated 
are then added to the CA(Q)-solver . If a >£A(Q)-connict is found, then, the £*4(Q)-solver 
produces a £.4(Q)-proof of unsatisfiability (as described in jCGSlOj ) in which some of the 
leaves are the new inequalities generated by equality elimination and tightening. We can 
then simply replace such leaves with the corresponding cutting-plane proofs to obtain the 
desired cutting-plane unsatisfiability proof. 

Example 3.3. Consider the following sets of £^4(Z)-constraints: 

£ def [ 2v\ — 5t>3 = j. def J —2V\ — V2 ~ V 3 + 7 < 



V2 — 3t>4 = 1 2v\ + V2 + V 3 — 8 < 

ED I is satisfiable over the rationals, but not over the integers. Therefore, the £^4(Z)-solver 
invokes the equality elimination procedure, which generates a new set I' of inequalities by 
"inlining" the equalities of E in /. In particular, /' is generated as follows: 

-5 • (2ui - 5v 3 = 0), 1 • (v 2 - 3v 4 = 0), (-2«i - v 2 - v 3 + 7 < 0) ~» {-3v 4 - 12u a + 24w 3 + 7 < 0) 
5 • (2ui - 5w 3 = 0), -1 • (« 2 - 3v 4 = 0), (2«i + u 2 + v 3 - 8 < 0) (3w 4 + 12ui - 24u 3 - 8 < 0) 

(3.1) 

The inequalities in /' can now be tightened by dividing the constant by the GCD of 
the coefficients, taking the ceiling of the result, and then multiplying again: 



-3u 4 - 12vi + 24v 3 + 
3t> 4 + 12vi- 24v 3 + 



• 3 < which becomes — 3^4 — 12v\ + 24v 3 + 9 < 

• 3 < which becomes 3t>4 + 12v± — 2Avs — 6 < 



3 

I" is then sent back to the £A(Q)-solver , which can now easily detect its inconsistency, 
producing the following £„4(Q)-proof of unsatisfiability Pca(Q) ^ or ^ : 

def 1 • (-3u 4 - 12vi + 24v 3 + 9 < 0) 1 • (3v 4 + 12vi - 24v 3 - 6 < 0) 

3 < 

The final cutting-plane proof PjCA(Z) f° r t ne -C^4(Z)-unsatisfiability of E D I can then 
be constructed by replacing the two inequalities in Pca(Q) with their proofs Pi and P2 
constructed with the information (|3.ip computed by the equality elimination procedure: 



Pi 



V2 — 3t>4 < —2v\ — V2 — v 3 + 7 < 

dot 5 • (-2vi + 5t; 3 < 0) -3t; 4 - 2 Vl - v 3 + 7 < 

-3^4 - 12ui + 24v 3 + 7 < r T , 

[Strengthen] 



-3v 4 - 12ui + 24v 3 + 9 < 
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def 5 • (2«i - 5v 3 < 0) 



-v 2 + 3^4 < 2v 1 + v 2 + v 3 - 8 < 
3v 4 + 2 Vl + v 3 - 8 < 



3v 4 + 12«i - 24v 3 - 8 < 



dcf 



3t>4 + 12t>! 
Pi 



24^3 - 6 < 



[Strengthen] 



Pi 



7 CA(Z) = 1 • (-3u 4 - 12«i + 24w 3 + 9 < 0) 1 • (3t> 4 + 12«i - 24t; 3 - 6 < 0). 

3^0 



3.2.2. From proofs to interpolants. In analogy to previous work on CA(Q) and £»A(Z) 
[McM051 IBKRW10] . we produce interpolants by annotating each step of the proof of un- 
satisfiability of A A B, such that the annotation for the root of the proof (deriving an 
inconsistent inequality (c < 0) with c 6 Z >0 ) is an interpolant for (A, B). 

Definition 3.4 (Valid annotated sequent). An annotated sequent is a sequent in the form 
(A, B) \- (t < 0)[J] where A and B are conjunctions of equalities and inequalities in £A(7i), 
and where I (called annotation) is a set of pairs ((ij < 0),Ei) in which £"j is a (possibly 
empty) conjunction of equalities and modular equalities. It is said to be valid when: 

(1) A\=y {ti < O!Ei)eI ((t i <0)AE i ); 

(2) For all {U < 0, Ei) £ I , B A Ei \= (t — U < 0); 

(3) For every element ((*; < Q),Ei) of I, U < A, (t - U) <B,Ei<A and E { -< B. 

Definition 3.5 (Interpolating Rules). The £^4(Z)-interpolating inference rules that we use 
are the following: 

(1) Hyp " A M.fl)Kt<o)[{(t<o,T>}] if " 5 0) eA 01 (( = 0) eA 

< 2 » Hy "- B (A,B) P It < 0)ff(0 < 0.T)}] " " ^ "> 6 g ° r " = "> 6 g 

(3) Comb (A3tp^Mll (AB)Hte<0)W wherK 

- ci , c 2 > 

- / d = {( Cl ti + c 2 t' 2 <0,£iA £ 2 ) | (t[ < 0, Ei) G It and (tf a < 0, E 2 ) € J 2 } 

« , (A,B)\- (Y,; c iXi + c < 0)\{(t' <0,T»] , 

(4) Strengthen / — , * ~ , ~w , where: 

V ; S (^,S)h(E l c i x i + c + fc<0)[7] 

d f ~ (' ~ 

— k = d — — c, and d > is an integer that divides all the q's; 

d 

- I d ^ {(t' +j < 0, 3(x £ B).(t' + J = 0)} | < j < k} U{(t' + k< 0, T)}; and 

— 3(x $l B).(t'+j = 0) denotes the result of the existential elimination from (t'+j = 0) 
of all and only the variables x±, ...,x n not occurring in B. 

(We recall that 3(x ± , x n )-(Ei °i x i + Ej d jVj + c = 0) = djyj + c =GCD{a) 0), 
and that (t = 0) = (t = 0).) 

Theorem 3.6. .AZZ £/te interpolating rules preserve the validity of the sequents. 
Proof. In the following, let (pi = f V(t;<o EAeiifti — ^ Pi)- 
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(1) Hyp- A: obvious. 

(2) Hyp-B: obvious. 

(3) Comb 

(3.1) By hypothesis, we have A \= ip^ and A \= <pi 2 . Therefore 

A h ( < A E u)) A ( \f(t' 2j < A E 2j )). 
h h 
By applying DeMorgan's rules: 

A \= V((*ii < A E u) A (\/(t' 2j < A E 2j ))) = 
h h 

\f\f((t' u <0At' 2j <0) AE u AE 2j ). 
h h " ? ' 

Now, since ci, c 2 > 0, we have that ipij \= {c\t' u + c 2 t' 2 j < 0); therefore 

A 1= V/ \A( Clt 'i* + C2t 2i ^ °) A Eu A E ^) = w- 
h h 

(3.2) By hypothesis, we have 

B A E u \= (ti - t' u < 0) and 
B A E 2j |= (t 2 - t' 2j < 0) 
for all {t' li7 Eii) € /i and (t' 2 -,E 2 j) € 7 2 . Therefore: 

BhE u A E 2j \= (i x - 4 < 0) A (t 2 - i' 2j < 0) 

|= ((citi - ci^) + (c 2 i 2 - ca^O < 0) = 
((citi + c 2 t 2 ) - (ci4 - c 2 t 2i ) < 0). 

(3.3) Follows immediately from the hypothesis. 

(4) Strengthen 

(4.1) We observe that in this case (pi is equivalent to 

\/ 3(x£B).(t'+j = 0)V(t' + k<0). 

0<j<k 

We also observe that, in £A(7*), (f < 0) is equivalent to@ 

i>i= V (t' + j = o)v(t' + k<o). 

0<j<k 

By hypothesis, A \= (£' < 0), and thus A \= tpi. Since -0/ \= ^j, we can immedi- 
ately conclude. 

^In fact, this is true for all t' and all k € 
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(4.2) The hypothesis in this case is: 

B |= {(^axi + c) -if < 0). 

i 

We want to prove that 

(i) Bf\3(x B).(t'+j = 0) [= ((EiCiXi + c+k)-(t'+j) < 0) for all < j < k; 
and 

(ii) B h ((Ei <W + c + fc) - (f + fc) < 0). 

The latter follows immediately from the hypothesis. 

As regards (i), from the hypothesis and the fact that (t' + j = 0) |= (t' + j < 0) 
we have 

B A (i' + j = 0) h (((X] + c ) " + + 3) <0) = (J2 c ^ + c + J < 0). 

i i 

But then 



5 A (t' + j = 0) |= ($2 ^ + d 



C + j 



where d > divides all the q's. By definition, k = d 



c + J 



< 



(since d > 0), and thus 



c + j 



< 



< 0). (3.2) 
c i 

— — c and j < k. Therefore 
d 

c + j c 
But since j > 0, — ; — > — , 
d d 



~c + j~ 




- c~ 


d 




d 



. From this fact and (13.21) it follows that 



and so it must be 



5A(t'+i = 0)h CiXi + d ~ < 0) = (52 cm + c + k<0). 

i i 

Since (t' + j = 0) \= (-(if + j) < 0), then 

BA(t'+j = 0) hEc i x i + c + A;<0)A(-(t / +i) < 0) 

i 

\=(52<HXi + c+k-(lf + j) <0). 

i 

Therefore, 

](iP).(fiA(f'+j=0))M(^4£ CjXj + c+ k - (t' +j) < 0). 

i 

We can then conclude by observing that: 

- Trivially, 3(x £ B)(B A (if + j = 0)) = B A 3(x £ B).(t' + j = 0); and 

— From the validity of the premise of the Strengthen rule, we have that Q^j Cj^j + 
c - f < 0) ^ -B, and thus 3(x g Cja* + c + jfe - (tf + j) < 0) = 
(E i c i Xi + c+fc-(t' + j) <0). 

(4.3) Follows immediately from the hypothesis and the fact that variables not occurring 
in B are eliminated from equations. □ 
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Corollary 3.7. If we can derive a valid sequent (A,B) h c < 0[I] with c € Z >0 , i/ien 

9?/ ^ V(tj<o B i >6/((*« — 0) A «s arc interpolant for (A,B). 

Proof. 

(1) A |= (^i. Trivial from the first validity condition. 

(2) B A (fi \= JL. From the second validity condition, we have 

B AEi \= (c-U < 0). 
for all (U < 0, Ei) G J. Therefore, 

B AEi A -i(c - tj < 0) (= J_. 
Since c E Z >0 , -i(c — ij < 0) is entailed in CA(X) by (fi < 0), and thus 

B A Ei A (U < 0) \= _L 

for all (tj < 0, Ei) G J. Thus, B A ^ |= 1. 

(3) </?i ^ A and (pi ^ B. Trivial from the third validity condition. □ 

Notice that the first three rules correspond to the rules for CA(Q) given in }McM05j . 
whereas Strengthen is a reformulation of the fc-Strengthen rule given in [BKRW10] . More- 
over, although the rules without annotations are refutationally complete for CA(Z), in the 
above formulation the annotation of Strengthen might prevent its applicability, thus losing 
completeness. In particular, it only allows to produce proofs with at most one strengthening 
per branch. Such restriction has been put only for simplifying the proofs of correctness, 
and it is not present in the original ^-Strengthen of [BKRW10] . However, for our purposes 
this is not a problem, since we use the above rules only in the second submodule of our 
£„4(Z)-solver, which always produces proofs with at most one strengthening per branch. 

Example 3.8. Consider the following interpolation problem [KLRlOj : 

A = (-yi - 10xi - 4 < 0) A (yi + lOari < 0) 

B = (- yi - 10zi + 1 < 0) A (yi + Wzi - 5 < 0). 

Using the above interpolating rules, we can construct the following annotated cutting-plane 
proof of unsatisfiability: 

yi + lOan < -yi- 10zi + 1 < 
[{(i/i + 10a:i<0,T)}] [{(0<0,T)}] 
IQxi - 10zi + 1 < 

[{(yi + IQgi < 0,T)}] - yi - iQxi - 4 < yi + IO21 - 5 < 

lOari - 10zi + 10 < [{(-yi-10a:i-4<0,T)}] [{(0<0,T)}] 

[{(?/i + 10xi + j < 0, -10a;i + 10zi - 9 < 

3x 2 .(2/i + 10x 2 +j = 0)} | < j < 9}U [{<-tfi-10asi-4<0 ) T>}] 

{(yi + 10a;i+9 <0,T)}] 

1<0 [{(j-4<0,3.T 2 .(2/i + 10a; 2 +. ? - = 0)) < j < 9} U {((5<0,T)}] 

Since (j — 4 < 0) |= J_ when j > 5, the generated interpolant I is: 

/ d = 3x 2 .((yi + 10x 2 = 0) V (2/1 + 10a; 2 + 1 = 0) V ... V (2/1 + 10x 2 +4 = 0)) 
= (2/i =io 0) V (2/1 =io -1) V (2/1 =io -2) V (2/1 =10 -3) V (yi =10 -4) 
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3.2.3. Conditional strengthening. In [BKRWIO] some optimizations of the fc-Strengthen rule 
are given for some special cases. Here, we present another one, which lets us avoid perform- 
ing case splits under certain conditions, and thus results in more concise interpolants than 
the general Strengthen rule. In particular, if both the result of a Strengthen rule and the 
linear combination of all the inequalities from B in the subtree on top of the Strengthen 
contain only AB-common symbols, then it is possible to perform a conditional strengthening 
as follows: 

Conditional-Strengthen: 



— p — CiXi + c — t' < is the single inequality obtained by combining all the 
constraints from B in the subtree on top of the premise (with the coefficients 
occurring in the subtree); 

- P is ^S-local. 

We observe that this is similar to what we do in Case 4 of our interpolation algorithm 
for UTWX |CGS10| . Further, notice that in the definition above, with a little abuse of 
notation, we are storing an inequality as the second component of the first pair of /, and 
not an equality. However, this does not affect the validity of Hyp-A, Hyp-B and Comb. 
Together with the fact that we only generate proofs with at most one strengthening per 
branch (see above), the following Theorem is then enough to ensure that Corollary 13.71 still 
holds. 

Theorem 3.9. Conditional-Strengthen preserves the validity of the sequents. 
Proof. 

(1) We observe that in this case ipi is equivalent to ip'j where 



By hypothesis, A \= (t' < 0), and by definition P = (^ CjXj + c — t' < 0). Therefore, 



(A, B) h axj + c < 0[{(t' < 0, T)}] 
(A, B) h Yh °i x i + c + k< 0[I] 



where: 




— d > is an integer that divides all the q's; 

— Yi c i x i + c + k is j4B-common; 

- I = {^P, -i 3 }, (Ei ^ + c + k < 0, T»; 



CiXi + c + k < 0)) = (P -> (£2 c i x i + c + k<0)) 





Hence A \= (-.P V QX; + c + k < 0)) = ip T . 



(2) We observe that 

-nP ^ (- ^Xi - c + 1' + 1 < 0). 

i 
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By hypothesis, B \= (Ej axi + c — t' < 0) = P, hence B A -*P |= _L. Therefore, we can 
conclude that: 

(a) B A -iP \= Ci Xi + c + fe)-(-X)i - c + t' + 1) < 0), and 

(b) B h ((Ei + c + fc ) " (Ei c ^ + c + /c) < 0). 

(3) Follows immediately from the hypothesis. □ 
Example 3.10. Consider the following variant of Example 13.81 

A = (- Vl - 10y 3 - 4 < 0) A (yi + 10y 3 < 0) A (y 2 + x x < 0) 

5 = (- yi - 10y 2 + 1 < 0) A (yi + 10y 2 - 5 < 0) A (y 3 + z x < 0) 

By applying Hyp-A, Hyp-B, Comb and Strengthen rules, we can obtain the following 
unsatisfiability proof with an interpolant I±: 

2/i + 10y 3 < -yi - 10j/ 2 + 1 < 

[{(yi + i0y 3 <Q,T)}] [{(Q<o,T)}] 

10y 3 - 10y 2 + 1 < 

[{(yi + lOt/3 < 0,T)}] - yi _ i0y 3 - 4 < yi + 10y 2 - 5 < 

10y 3 - 10y 2 + 10 < [{(-yi - 10y 3 - 4 < 0, T)}] [{(0 < 0, T)}] 
[{(Vi + 10y 3 + j < 0, -10y 3 + 10y 2 - 9 < 

yi + 10y 3 + j = 0) | <j < 9}U [{{- yi - 10y 3 - 4 < 0, T)}] 

{(yi + iQy 3 + 9<Q,T)}] 

1<0 [Ji] 



where I\ is defined as follows: 

h = {{j - 4 < 0, Vl + 10y 3 +j = 0) | < j < 9} U {((5 < 0, T}}, 

- {yi + Wy 3 = 0) V (yi + 10y 3 + 1 = 0) V (yi + 10y 3 + 2 = 0) V { Vl + 10y 3 + 3 = 0)V 
(yi + 10y 3 + 4 = 0) 

We observe from the above proof that all the inequalities from B above the tightened 
inequality (10y3 — 10y 2 + l < 0), and this inequality itself, contain only ^4i?-common symbols. 
Therefore, we can replace the Strengthen rule with the Conditional-Strengthen rule 
in the above proof to obtain a more concise interpolant / 2 : 

2/1 + 10y 3 < -2/i - 10y 2 + 1 < 
[{(yi + 10y 3 <0,T)}] [{(0<0,T)}] 



10y 3 - 10y 2 + 1 < 
[{(yi + 10y 3 <0,T)}] 



10y 3 - 10y 2 + 10 < 



-yi - 10y 3 - 4 < yi + 10y 2 - 5 < 
[{(-»! -10«3 -4 <0,T)}] [{(0<0,T)}] 



[{(2/1 + 10y 2 < 0,2/1 + 10y 2 < 0), Jl^'J f ° T)}] 

(10y 3 -10y 2 + 10<0,T)}] [i[Vl Wy3 4 S U ' ' )il 



1 < [/ a ] 



where I 2 is defined as follows: 
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h = {(10 2 /2-10y3-4<0,2/i + 10 2 / 2 <0), ((-yi-10y 2 + 6<0,T)} 
= ((102/ 2 ~ 10y 3 - 4 < 0) A (yi + 10y 2 < 0)) V {-y x - 10y 2 + 6 < 0), 

(which can then be simplified to ((2/2 — 2/3 < 0) A (2/1 + IO2/2 < 0)) V (— y-y — IO2/2 + 6 < 0).) 



3.3. Interpolation with branch-and-bound. 



3.3.1. Interpolation via splitting on-demand. In the splitting on-demand approach, the 
£A(7*) solver might not always detect the unsatisfiability of a set of constraints by itself; 
rather, it might cooperate with the DPLL solver by asking it to perform some case splits, 
by sending to DPLL some additional £„4(Z)-lemmas encoding the different case splits. In 
our interpolation procedure, we must take this possibility into account. 

Let (t—c < 0) V(— t+c+1 < 0) be a branch-and-bound lemma added to the DPLL solver 
by the £.4,(Z)-solver, using splitting on-demand. If t X A or t ^ B, then we can exploit the 
Boolean interpolation algorithm also for computing interpolants in the presence of splitting- 
on-demand lemmas. The key observation is that the lemma (t — c < 0) V (— t + c + 1 < 0) 
is a valid clause in >£A(Z). Therefore, we can add it to any formula without affecting its 
satisfiability. Thus, if t -< A we can treat the lemma as a clause from A, and if t H B we 
can treat it as a clause from B; if both t H A and t -< B, we are free to choose between 
the two alternatives. 

Example 3.11. Consider the following CA(Z) set of constraints S, which is first fed to the 
£.A(Q)-Solver, producing the CA(Q) model us'- 

' yi + 5y 2 -5y 3 -2xi + 2<0 
-Vi ~ %2 + 5y 3 + 4zi - 3 < 
xi < 
Vi < 
—yi < 

~V2 <o 
V2 ~ 2 < 
-V3 <0 

y 3 - 1 < 
-zi < 

By splitting-on-demand, the £^l(Z)-solver adds the branch-and-bound lemmas 

(V2 < 0) V (-y 2 + 1 < 0) 
(y 3 < 0) V (-y 3 + 1 < 0), 

which are passed back to the DPLL engine. Suppose DPLL first "decides" (y 3 < 0) 
(plus possibly some literal in the first clause) invoking the layered £^4(Z)-solver. The 
inconsistency of the branch is detected directly by the £*4(Q)-solver, which produces the 
£^4(Q)-proof and the corresponding £^4(Q)-lemma: 



S 



Vi 

2/2 
V3 
Z\ 








2 




L 



(V2 - lh\ < 0) V (-y 2 + |±J + 1 < 0) 
(2/3 - ll\ < 0) V (-2/3 + Li J + 1 < 0) 
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yi + 5y 2 - 5y 3 - 2 Xl + 2 < 2 ■ ( Xl < 0) 

f jft + 5jg - 5t/3 + 2 < < 

Pi = hy 2 - 5y 3 + 2 < 5 ■ (-y 2 < 0) 

-52/3 + 2 < 5 ■ (y 3 < 0) 



2 < 

Cx d = -(2/1 + 52/2 - 5y 3 - 2ar x + 2 < 0) V -.(a* < 0) V < 0) V -(-2/2 < 0) V -(2/3 < 0). 

Then DPLL unit-propagates —1(2/3 < 0), (—2/3 + 1 < 0) and decides (2/2 < 0). As before, the 
£.A(Q)-solver is sufficient to detect the inconsistency of the assignment, producing: 

-2/1 - 52/2 + 5y 3 + 4zi - 3 < 4 • {-z x < 0) 



f -2/1 - 52/2 + 52/3 - 3 < 2/i < 

^2 = -52/ 2 + 52/3 - 3 < 5 ■ (-2/3 + 1 < 0) 

-52/2 + 2 < 5 ■ (2/2 < 0) 

2 < 

C 2 = -(-2/1 - 52/2 + 5i/3 + 4zi - 3 < 0) V -.(-«! < 0) V -(2/1 < 0) V -(-2/3 + 1 < 0) V -(2/2 < 0). 

Consequently, also ->(?/2 < 0), (—2/2 + 1 < 0) are unit-propagated. Likewise, the next step 
produces: 

2/1 + 52/2 - 52/3 - 2gi + 2 < 2 ■ (xi < 0) 

f 2/1 + 52/2 - 52/3 + 2 < -2/1 < 

^3 = 52/2 - 52/3 + 2 < 5 ■ (2/3 - 1 < 0) 

52/2 - 3 < 5 ■ (-2/2 + 1 < 0) 

2 < 

C 3 = f -(2/1 + 52/2 - 52/3 - 2 Xl + 2 < 0) V -(^j < 0) V -(-2/1 < 0) V -(2/3 - 1 < 0) V -(-2/2 + 1 < 0). 

Then no more assignment can be generated, so that DPLL returns unsat, and can produce 
a resolution proof P. 

If S is partitioned into A, B, since the lemmas involve only one variable and thus cannot 
be AB-mixed, then an interpolant can be computed from the Boolean resolution proof P 
and the £.4(Q)-proofs P±,P2, P3 in the standard way with Algorithm 12.21 

Thanks to the observation above, in order to be able to produce interpolants with splitting 
on-demand the only thing we need is to make sure that we do not generate lemmas con- 
taining ^4i?-mixed terms. This is always the case for "normal" branch-and-bound lemmas 
(since they involve only one variable) , but this is not true in general for "extended" branch- 
and-bound lemmas generated from proofs of unsatisfiability using the "cuts from proofs" 
algorithm of [DDA 09] . The following example shows one such case. 

Example 3.12. Let A and B be defined as 

A = {y - 2x < 0) A (2x - y < 0), B = (y - 2z - 1 < 0) A (2z + 1 - y < 0) 

When solving A A B using extended branch and bound, we might generate the following 
AB-mixed lemma: (x — z < 0) V (— x + z + 1 < 0). 
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Since we want to be able to reuse the Boolean interpolation algorithm also for splitting 
on-demand, we want to avoid generating AB-mixed lemmas. However, we would still like 
to exploit the cuts from proofs algorithm of |DDA09| as much as possible. We describe how 
we do this in the following. 



3.3.2. Interpolation with the cuts from proofs algorithm. The core of the cuts from proofs 
algorithm is the identification of the defining constraints of the current solution of the 
rational relaxation of the input set of jCA(Z) constraints. A defining constraint is an input 
constraint ^ Cjfj + c co (where tx\ € {<, =}) such that ^ CjUj + c evaluates to zero under 
the current solution for the rational relaxation of the problem. After having identified 
the defining constraints D, the cuts from proofs algorithm checks the satisfiability of the 
system of Diophantine equations De = f c i v i + c = | CiVi + c txi 0) € D}. If De 
is unsatisfiable, then it is possible to generate a proof of unsatisfiability for it. The root of 
such proof is an equation ^ c[v i + c' = such that the GCD g of the c'/s does not divide 
d . From such equation, it is generated the extended branch and bound lemma: 



9 



1)V( 



a 



* 9 



Example 3.13. Consider the following set of £„4(Z)-constraints and its rational relaxation 
solution us 

5vi — 5v 2 — v 3 — 3 < 



dcf 



I's 



-5v! + 5v 2 + v 3 + 2 < 
v 3 < 

. -V 3 < 

The set of defining constraints D for (S,fis) is then: 

-5v! + 5v 2 + v 3 + 2<0 







dcf 



D 



dcf 



V 3 <0 

-v 3 < 0, 

resulting in the following inconsistent system of Diophantine equations De- 

„ dcf f -5vi + 5v 2 + v 3 + 2 = 
De = \ v 3 = 

The Diophantine equations handler generates — 5v 1 + 5v 2 + 2 = as proof of unsatisfiability 
for De, resulting in the following branch-and-bound lemma: 



(— Vi+v 2 < — — 1)V( — < —v\+v 2 ), or equivalently (— v\+v 2 + l < 0)V(ui— v 2 < 0) 

(3.3) 

After adding (13.31) to DPLL, the £„4(Q)-solver detects the /3^l(Q)-inconsistency of both 
S U (-Hi + v 2 + 1 < 0) and S U (v x - v 2 < 0). 



If Y2i ~ v i ls n °t ^4-B-mixed, we can generate the above lemma also when computing 
9 c ' 

interpolants. If Y2i ~ v % ls ^4-B-mixed, instead, we generate a different lemma, still exploiting 

the unsatisfiability of (the equations corresponding to) the defining constraints. Since De is 
unsatisfiable, we know that the current rational solution /j, is not compatible with the current 
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set of defining constraints. If the denning constraints were all equations, the submodule 
for handling Diophantine equations would have detected the conflict. Therefore, there is at 
least one defining constraint ^ i CiVi + c < 0. Our idea is that of splitting this constraint 
into (Y^i c^i + c + 1 < 0) and c\V{ + c = 0), by generating the lemma 

->(%2 5 i V i + C < 0) V QWi + C + 1 < 0) V CiVi + c = 0). 

i i i 

In this way, we are either "moving away" from the current bad rational solution n (when 
(^2 i CiVi + c + 1 < 0) is set to true), or we are forcing one more element of the set of 
defining constraints to be an equation (when (^^ C{Vi + c = 0) is set to true): if we repeat 
the splitting, then, eventually all the defining constraints for the bad solution fi will be 
equations, thus allowing the Diophantine equations handler to detect the conflict without 
the need of generating more branch-and-bound lemmas. Since the set of defining constraints 
is a subset of the input constraints, lemmas generated in this way will never be AB-mixed. 

It should be mentioned that this procedure is very similar to the algorithm used in the 
recent work [KLR10] for avoiding the generation of ^4i?-mixed cuts. However, the criterion 
used to select which inequality to split and how to split it is different (in [KLRIO] such 
inequality is selected among those that are violated by the closest integer solution to the 
current rational solution). Moreover, we don't do this systematically, but rather only if the 
cuts from proofs algorithm is not able to generate a non-yli?-mixed lemma by itself. In a 
sense, the approach of [KLRlOj is "pessimistic" in that it systematically excludes certain 
kinds of cuts, whereas our approach is more "optimistic". 



3.3.3. Interpolation for the internal branch-and-bound module. From the point of view of 
interpolation the subdivision of the branch-and-bound module in an "internal" and an 
"external" part poses no difficulty. The only difference between the two is that in the 
former the case splits are performed by the £„4,(Z)-solver instead of DPLL. However, we 
can still treat such case splits as if they were performed by DPLL, build a Boolean resolution 
proof for the £„4(Z)-conflicts discovered by the internal branch-and-bound procedure, and 
then apply the propositional interpolation algorithm as in the case of splitting on-demand. 

More specifically, a branch-and-bound proof is a tree in which the leaves are CA(Q)- 
proofs of unsatisfiability, the root is a £^4(Z)-conflict set, and each internal node has two 
children that are labeled with two "complementary" atoms (v — n < 0) and (— v + n+1 < 0). 
From a branch-and-bound proof, a resolution proof for the £„4,(Z)-lemma corresponding to 
the root £.A(Z)-conflict set can be generated by replacing each leaf £„4(Q)-proof P with 
the corresponding £^4(Q)-lemma C, and by introducing, for each internal node, a branch- 
and-bound lemma (v — n < 0) V (—v + n + 1 < 0) and two resolution steps, according to 
the following pattern: 

(v - n < 0) V (-v + n + 1 < 0) Pi . 

; pivot on (v — n < 0) p 

— pivot on (— v + n + 1 < 0) 



The following example shows how this is done. 
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Example 3.14. Consider the same set of S as in Example 13. Ill partitioned as follows: 



.4 



dor 



(yi + 5y 2 - 5y 3 - 2x x + 2 < 0) 
(xi < 0) 

(yi < o) b ^ 

(V2 - 2 < 0) 
I (2/3 - 1 < 0) 

A branch-and-bound proof P that shows the unsatisfiability of A AB is the following: @ 

((2/2 < 0), (-y 2 + 1 < 0)) Pi 



(-2/1 - 5y 2 + 5y 3 + 4^ - 3 < 0) 
(-zi < 0) 
(-2/1 < 0) 
(-2/2 < 0) 
[ ("2/3 < 0) 



p 4| f ■ 



1 



<(y 3 < o), (-?/3 + 1 < o)) 



del' 



?7i + 5y 2 - 5y 3 - 2xi + 2 < 2 ■ (an < 0) 
2/i + 5Z/2 - 52/3 + 2 < 



-2/i < 



52/2 - 52/3 + 2 < 



5 • (-272 < 0) 



-52/3 + 2 < 



5 ■ (2/3 < 0) 



def 



-2/i - 52/2 + 52/3 + 4zi - 3 < 4 ■ (-gi < 0) 
-?/i - 5?/2 + 52/3 - 3 < 



27i < 



-52/2 + 52/3 - 3 < 



2 < 



5 • (-2/3 + 1 < 0) 



-52/2 + 2 < 



5 • (2/2 < 0) 



P. 



del' 



2/i + 52/2 - 52/3 - 2xi + 2 < 2 ■ (an < 0) 
2/i + 52/2 - 5j/ 3 + 2 < 



< 



52/2 - 52/3 + 2 < 



2 < 



5 • (2/3 - 1 < 0) 



52/2 - 3 < 



5 • (-2/2 + 1 < 0) 



2 < 



A corresponding resolution proof, is then: 



del' 



Ci = -(2/1 + 52/2 - 52/3 - 2xi + 2 < 0) V ->(a?i < 0) V -(-2/1 < 0) V -(-2/2 < 0) V -(2/3 < 0) 



del 



C 2 = -(-2/1 - 52/2 + 52/3 + 4zi - 3 < 0) V < 0) V -(2/1 < 0) V -(-2/3 + 1 < 0) V -(2/2 < 0) 



del 



iVi + 52/2 - 5j/ 3 - 2xi + 2 < 0) V -.(afi < 0) V -(-2/1 < 0) V -(2/3 - 1 < 0) V -(-j/ 2 + 1 < 0) 



(1/2 < 0) V (-2/2 + 1 < 0) C 2 



n(-j/i - 5y 2 + 5?/3 + 4jzi - 3 < 0) V -.(-Zi < 0)V 
-(2/1 < 0) V -.(-3/3 + 1 < 0) V (-2/2 + 1 < 0) 



c. 



(2/3 < 0) V (-2/3 + 1 < 0) 



<-2/i - 5y 2 + 5y 3 + 4z x - 3 < 0) V -(-zi < 0) V -(2/1 < 0) V -(-y 3 + 1 < 0)V 
-(2/1 + 5j/2 - 5j/ 3 - 2xi + 2 < 0) V -(an < 0) V -(-2/1 < 0) V -(2/3 - 1 < 0) 
-(-2/i - 52/2 + 52/3 + 4zi - 3 < 0) V -(-21 < 0) V -(2/1 < 0)V 

-(2/1 + 52/2 - 52/3 - 2an + 2 < 0) V -(an < 0) V -(-2/1 < 0) V -(2/3 - 1 < 0) V (2/3 < 0) 

-.(-2/1 - 52/2 + 52/3 + 4zi - 3 < 0) V -(-zi < 0) V -(2/1 < 0)V 
-(2/1 + 5y 2 - 5y 3 - 2an + 2 < 0) V -.(an < 0) V -.(-2/1 < 0) V -(2/3 - 1 < 0) V -(-y 2 < 0) 



Ci 



°The 
for convenience. 



proofs Pi and 



■lemmas Ci are the same as in Example 13.111 they are reported here 
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where Ci, C 2 and C3 are the £^(Q)-lemmas corresponding to the £„4(Q)-proofs P±, P 2 
and P3 respectively. Applying Algorithm 12.21 to this proof, and considering all the branch- 
and-bound atoms as part of B (since they are all on AB-common variables), results in the 
following jCA(Z)-interpolant / for the £„4.(Z)-lemma corresponding to the root of the proof: 

I = (yi < 0) A (7/1 + 5y 2 - 5y 3 + 2 < 0) A ( Vl + 5y 2 - 3 < 0). 



4. A NOVEL GENERAL INTERPOLATION TECHNIQUE FOR INEQUALITIES 

The use of the Strengthen rule allows us to produce interpolants with very little modifica- 
tions to the £^4(Z)-solver (we only need to enable the generation of cutting-plane proofs), 
which in turn result in very little overhead at search time. However, the Strengthen rule 
might cause a very significant overhead when generating the interpolant from a proof of 
unsatisfiability. In fact, even a single Strengthen application results in a disjunction whose 
size is proportional to the value of the constant k in the rule. The following example, taken 
from |KLR10| . illustrates the problem. 

Example 4.1. Consider the following (parametric) interpolation problem |KLR10| : 
A = (-yi - 2nxi - n + 1 < 0) A (yi + 2n Xl < 0) 

B = {-yi - 2n Zl + 1 < 0) A (y x + 2nzi - n < 0) 

where the parameter n is an integer constant greater than 1. Using the rules of §3.21 we 
can construct the following annotated cutting-plane proof of unsatisfiability: 

yi + 2nxi < -y x - 2nz 1 + 1 < 

[{{yi+2n Xl <0,T)}] [{(0<0,T)}] 
2nxi - 2nzi + 1 < 
[{(yi+2n Xl <0,T)}] 

2nx 1 -2nz 1 + l + (2n-l)<0 - yi - 2n Xl - n + 1 < Vl + 2nz x - n £ 

[ { ( yi + 2n, 1+i <0, [{<- g i-2n a;i -n + l<0,T)}] [{<0<0,T)}] 

-if , o 1 ■ 1 —2nx\ + 2nz\ — 2n + 1 < 

olfit„ 2 "Vu ' ' [«-*-»-. -» + i<<VT)H 

{(yi + 2n Xl +2n- 1 < 0,T)}] 

1 < n titi - n + 1 < 0, 3x2.(2,1 + 2na; 2 + j = 0)) | < j < 2n - 1}U 
" U {((2n-l)-n + l<0,T)}] 

By observing that (J — n + 1 < 0) |= _L when j > n, the generated interpolant is: 
(yi =2n ~n + 1) V (yi =2n -n + 2) V . . . V (yi = 2n 0), 

whose size is linear in n, and thus exponential wrt. the size of the input problem. In fact, in 
[KLRlOj . it is said that this is the only (up to equivalence) interpolant for (A, B) that can 

be obtained by using only interpreted symbols in the signature S= f {=,<,+,-}UZU{= 3 
\g € Z> }. 

In order to overcome this drawback, we present a novel and very effective way of computing 
interpolants in CA(Z,), which is inspired by a result by Pudlak |Pud97j . The key idea is to 
extend both the signature and the domain of the theory by explicitly introducing the ceiling 
function [•] and by allowing non-variable terms to be non-integers. 

As in Section ^3j we use the annotated rules Hyp-A, Hyp-B and Comb. However, in 
this case the annotations are single inequalities in the form (t < 0) rather than (possibly 
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large) sets of inequalities and equalities. Moreover, we replace the Strengthen rule with the 
equivalent Division rule: 
Division: 

(A B) h YU a i x i + Ej c jVj + Efc hzk + c < [Ei a-ixi + Ej + c' < 0] 



(A J B)HE 4 ^ + E J : f% + E fc ^^+ ~ <0Ei^xi + 



d 



d 



7' 



E^ + c 



d 



<0] 



where: 

- Xi B, yj £ A n 5, z k 4 



— d > divides all the Oj's, Cj's and b^s 
As before, if we ignore the presence of annotations, the rules Hyp- A, Hyp-B, Comb and 
Division form a complete proof systems for £A(1*) |Sch86j . Notice also that all the rules 
Hyp-A, Hyp-B, Comb and Division preserve the following invariant: the coefficients aj of 
the A-local variables are always the same for the implied inequality and its annotation. 
This makes the Division rule always applicable. Therefore, the above rules can be used to 
annotate any cutting-plane proof. In particular, this means that our new technique can be 
applied also to proofs generated by other CA(Z) techniques used in modern SMT solvers, 
such as those based on Gomory cuts or on the Omega test |Pug91| . 

Definition 4.2. An annotated sequent (A,B) h (i < 0)[(i' < 0)] is valid when: 

(1) A\=(t'<0); 

(2) B\=(t-t<0); 

(3) t' < A and (t - f) ^ B. 

Theorem 4.3. All the interpolating rules preserve the validity of the sequents. 

Proof. The theorem can be easily proved for Hyp-A, Hyp-B and Comb. Therefore, here we 
focus only on Division. 

(1) By hypothesis, A \= Ei + Ej c 'jVj + c' < 0. Since d > 0, we have that 

A ^ Ej <HXi + Ej djVj + <J < _ 

From the definition of ceiling, therefore 

Ei a i X i + Ej C 'jVj + c ' 



Ah 



Since d divides the ctj's by hypothesis, 



d 

Yli ®i x i 



< 0. 



if n is an integer, we have that 



d 



is an integer, and since [n + x] = n + \x] 



E^ + c' 



< 0. 



(2) By hypothesis, B \= (Ei <HXi + Ej CjVj + Efc hzk + c) - (Ei + Ej c j%> + c ') < °- 
Since d > 0, then 

D . (Ei ^ + Ej CjVj + Efc ^fe^fc + c) (Ei + Ej c j%- + c ') 

B N j <o 
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and thus 



(Ei «^ + Ei c j%- + Efc + c) (Ei oi^i + Ej c j-2/i + c 



< 0. 



By observing that \x — y] > \x] — \y\ , we have: 



(Ei a i x i + Ej c jVj + Efc hzk + c) 



(Ei OiXi + Ej C 'jVj + C ') 



By observing that \n + a;] = n + |Vj when n is an integer, we have finally: 



r/ 



3 k 

(3) Follows directly from the hypothesis. 



(£> + 



< 0. 



< 0. 



□ 



Corollary 4.4. If we can derive a valid sequent (A,B) h c < 0[K 0] with c > 0, t/ien 
(t < 0) is an interpolant for (A, B). 

Proof. 

(1) A |= (t < 0). Trivial from Definition S3] and Theorem [OJ 

(2) B A (t < 0) |= _L. From Definition [O] and Theorem EH we have B \= (c-i < 0). Since 
c > 0, then S |= (-i < 0) = (t > 0), so that B A (t < 0) |= _L. 

(3) (t < 0) ^ A and (t < 0) H B. Trivial from Definition and Theorem g3J □ 



Example 4.5. Consider the following interpolation problem: 

A^(y 1 = 2x 1 ), B^( yi = 2zx + 1). 
The following is an annotated cutting-plane proof of unsatisfiability for A A B: 



yi = 2xi 



yi = 2zi + 1 



yi = 2xi 



yi = 2zi + l 



yi 2xi < 0[yi - 2xi < 0] 2 Zl + l- yi < 0[0 < 0] 2xi _ yi < Q yi - 2zi -l<0 
2zi - 2xi + 1 < Ofa/i - 2xi < 0] [2xi - Vi < 0] [0 < 0] 

2xi - 2zi - 1 < 0[2a-! - yi < 0] 



2l — Xi + 1 < 0[— Xl 



<o] 



l<0[-yi + 2[f] <0] 



< 0) is an interpolant for (A, £>). 

Using the ceiling function, we do not incur in any blowup of the size of the generated in- 
terpolant wrt. the size of the proof of unsatisfiability^ In particular, by using the ceiling 
function we might produce interpolants which are up to exponentially smaller than those 
generated using modular equations. The intuition is that the use of the ceiling function 
in the annotation of the Division rule allows for expressing symbolically the case distinc- 
tion that the Strengthen rule of §3.21 was expressing explicitly as a disjunction of modular 
equations. 

^However, we remark that, in general, cutting-plane proofs of unsatisfiability can be exponentially large 
wrt. the size of the input problem [Sch86l lPud97] - 



Then, {-yx + 2 



m 

1 
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Example 4.6. Consider again the parametric interpolation problem of Example 14,11 



A = (-yi - 2nxi - n + 1 < 0) A (yi + 2?ixi < 0) 

£ = f - 2nzi + 1 < 0) A (yi + 2nz x - n < 0) 
Using the ceiling function, we can generate the following annotated proof: 



2/1 + 2nxi < -i/i - 2nzi + 1 < 
[t/i + 2nxi < 0] [0 < 0] 



2na;i - 

[yi 



2nz! + 1 < 
- 2nxi < 0] 



-yi 

-Vi 



2nx\ 
2nx\ 



n 
n 



1 < 
1 < 0] 



yi 



2nz\ — n < 
[0<0] 



xx - z\ + 1 < 



-2nxi + 2nzi - 2n + 1 < 
[-yi - 2na;i - n + 1 < 0] 



1 < [2n - yi - n + 1 < 0] 

The interpolant corresponding to such proof is then (2n 
is linear in the size of the input. 



m 

2n 



yi — n + 1 < 0), whose size 



4.1. Solving and interpolating formulas with ceilings. Any SMT solver supporting 
CA(1j) can be easily extended to support formulas containing ceilings. In fact, we notice 
that we can eliminate ceiling functions from a formula (p with a simple preprocessing step 
as follows: 

(1) Replace every term [~rjj] occurring in if with a fresh integer variable x^ t .y, 

(2) Set p to if A /\d{x\u] -1<U< x rtil )}. 

Moreover, we remark that for using ceilings we must only be able to represent non- 
variable terms with rational coefficients, but we don't need to extend our £^4(Z)-solver to 
support Mixed Rational/Integer Linear Arithmetic. This is because, after the elimination 
of ceilings performed during preprocessing, we can multiply both sides of the introduced 
constraints {xr^i — 1 < tj) and (ij < xr^i) by the least common multiple of the rational 
coefficients in tj, thus obtaining two £>l(Z)-inequalities. 

For interpolation, it is enough to preprocess A and B separately, so that the elimination 
of ceilings will not introduce variables common to A and B. 

4.2. Generating sequences of interpolants. One of the most important applications 
of interpolation in Formal Verification is abstraction refinement |HJMM04l McM06]. In 

such setting, every input problem (j) has the form cf) = f <pi A . . . A 4> n , and the interpolating 
solver is asked to compute a sequence of interpolants I±, . . . , I n -i corresponding to different 
partitions of 4> into Ai and Bi, such that Vi, A{ = f <j}\ A . . . A fa, and B{ = fa+i A . . . A <f> n . 
Moreover, I\, . . . , l n -\ should be related by the following: 

IiA(f>i +1 \=I i+1 (4.1) 

As stated (without proof) in [HJMM04 , a sufficient condition for (|4.ip to hold is that 
all the Ij's are computed from the same proof of unsatisfiability for <j). In our previous work 
[CGSlOj (Theorem 6.6, page 7:46), we have formally proved that such sufficient condition 
is valid for every SMT(T)-proof of unsatisfiability, independently of the background theory 
T . By observing that all the techniques that we have described in this article do not involve 
modifications/manipulations of the proofs of unsatisfiability, we can immediately conclude 
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iPrincess InterpolatingOpenSMT SmtInterpol 




Figure 3: Comparison between MathSAT and the other £„4(Z)-interpolating tools, execu- 
tion time. 

that this approach can be applied without modifications also in our context, for computing 
sequences of interpolants for >£A(Z)-forrmilas using our interpolation algorithms. 

5. Experimental evaluation 

The techniques presented in previous sections have been implemented within the MathSAT 
5 SMT solver |Gril2| . In this section, we experimentally evaluate our approach. 

5.1. Experiments on large SMT formulas. In the first part of our experimental anal- 
ysis, we evaluate the performance of our techniques on relatively-large formulas taken from 
the set of benchmark instances in the QF_LIA ( "quantifier- free j£A(Z)") category of the 
SMT-LIB0 More specifically, we have selected the subset of £*4(Z)-unsatisfiable instances 
whose rational relaxation is (easily) satisfiable, so that £„4(Z)-specific interpolation tech- 
niques are put under stress. In order to generate interpolation problems, we have split each 
of the collected instances in two parts A and B, by collecting about 40% and making sure 
that A contains some symbols not occurring in B (so that A is never a "trivial" interpolant). 
In total, our benchmark set consists of 513 instances. 

We have run the experiments on a machine with a 2.6 GHz Intel Xeon processor, 16 
GB of RAM and 6 MB of cache, running Debian GNU/Linux 5.0. We have used a time 
limit of 1200 seconds and a memory limit of 3 GB. 



http : // smtlibTorg| 
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iPrincess InterpolatingOpenSMT SmtInterpol 




Figure 4: Comparison between MathSAT and the other >C^4(Z)-interpolating tools, inter- 
polants size (measured in number of nodes in the DAG of the interpolant). (See 
also footnote 1121) 

5.1.1. Comparison with the state-of-the-art tools available. We compare MathSAT with 
all the other interpolant generators for CAiZ) which are available (to the best of our 
knowledge): iPrincess |BKRW10j li InterpolatingOpenSMT [KLRlOj F^ and SmtIn- 
terpol We compare not only the execution times for generating interpolants, but also 
the size of the generated formulas (measured in terms of number of nodes in their DAG 
representation) . 

For MathSAT, we use two configurations: MathSAT-modEq, which produces in- 
terpolants with modular equations using the Strengthen rule of and MathSAT-ceil, 
which uses the ceiling function and the Division rule of £JH 

Results on execution times for generating interpolants are reported in Fig. [3l Both 
MathSAT-modEq and MathSAT-ceil could successfully generate an interpolant for 478 
of the 513 interpolation problems (timing out on the others), whereas iPrincess, Inter- 
polatingOpenSMT and SmtInterpol were able to successfully produce an interpolant 
in 62, 192 and 217 cases respectively. Therefore, MathSAT can solve more than twice as 
many instances as its closer competitor SmtInterpol, and in most cases with a signifi- 
cantly shorter execution time (Fig. [3]) . 

For the subset of instances which could be solved by at least one other tool, therefore, 
the two configurations of MathSAT seem to perform equally well. The situation is the same 
also when we compare the sizes of the produced interpolants, measured in number of nodes in 
a DAG representation of formulas. Comparisons on interpolant size are reported in Fig. [41 

' http: //www.philipp.ruemmer . org/iprincess . shtml| 

1( http : //www.philipp . ruemmer . org/interpolating-opensmt . shtml 

1] http : //ultimate . informatik. uni-freiburg . de/smtinterpol/ We are not aware of any publication 
describing the tool. 
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Execution Time 



Interpolants Size 



Execution Time 




MathSAT-modEq 



(a) 



MathSAT-modEq 




Figure 5: (a) Comparison between MathSAT-modEq and MathSAT-ceil configurations 
for interpolation, (b) Execution time overhead for interpolation with MathSAT - 

CEIL. 

which shows that, on average, the interpolants produced by MathSAT are comparable 
to those produced by other tools. In fact, there are some cases in which SmtInterpol 
produces significantly-smaller interpolants, but we remark that MathSAT can solve 261 
more instances than SmtInterpol 

The differences between MathSAT-modEq and MathSAT-ceil become evident when 
we compare the two configurations directly. The plots in Fig. EJa) show that MathSAT - 
CEIL is dramatically superior to MathSAT-modEq, with gaps of up to two orders of 
magnitude in execution time, and up to four orders of magnitude in the size of interpolants. 
Such differences are solely due to the use of the ceiling function in the generated interpolants, 
which prevents the blow-up of the formula wrt. the size of the proof of unsatisfiability. Since 
most of the differences between the two configurations occur in benchmarks that none of 
the other tools could solve, the advantage of using ceilings was not visible in Figs. [3] and [U 

Finally, in Fig. [5|h) we compare the execution time of producing interpolants with 
MathSAT-ceil against the solving time of MathSAT with interpolation turned off. The 
plot shows that the restriction on the kind of extended branch-and-bound lemmas gener- 
ated when computing interpolants (see §3.3|) can have a significant impact on individual 
benchmarks. However, on average MathSAT-ceil is not worse than the "regular" Math- 
SAT, and the two can solve the same number of instances, in approximately the same total 
execution time. 

5.2. Experiments on model checking problems. In the second part of our experi- 
mental analysis, we evaluate the performance of MathSAT and all the other interpolant 
generators for CA(Z) described above ( §5.1.1j) when used in an interpolation-based model 
checking context. In particular, we have implemented the original interpolation-based model 

12 The plots of Fig. [4] show also some apparently-strange outliers in the comparison with Interpolatin- 
gOpenSMT. A closer analysis revealed that those are instances for which InterpolatingOpenSMT was 
able to detect that the inconsistency of A A B was due solely to A or to B, and thus could produce a trivial 
interpolant _L or T, whereas the proof of unsatisfiability produced by MathSAT involved both A and B. 
An analogous situation is visible also in the comparison between MathSAT and SmtInterpol, this time 
in favor of MathSAT. 
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Table 1: Experimental results on model checking problems. 





Results (num. of queries / execution time) 






MathSAT-ceil 


MathSAT-modEq 


MathSAT-noEQ MathSAT-noBB 


byte_add_l 


9 / 1.05 


9 / 1.06 


9 / 1.00 


9 / 1.02 


byte_add_2 


13 / 2.33 


13 / 2.36 


13 / 2.27 


13 / 2.40 


byte_add_3 


52 / 97.68 


52 / 91.71 


T.O. 


52 / 97.83 


byte_add_4 


28 / 27.77 


28 / 28.38 


T.O. 


28 / 28.06 


jain_l 


8 / 0.04 


8 / 0.04 


T.O. 


8 / 0.04 


jain_2 


8 / 0.06 


8 / 0.06 


T.O. 


8 / 0.05 


jain_4 


7 / 0.06 


7 / 0.06 


T.O. 


7 / 0.05 


jain_5 


42 / 0.84 


42 / 0.82 


42 / 0.88 


42 / 0.81 


jain_6 


7 / 0.06 


7 / 0.06 


T.O. 


7 / 0.06 


jain_7 


8 / 0.08 


8 / 0.08 


T.O. 


8 / 0.07 


num_conversion_l 


51 / 13.33 


51 / 13.02 


51 / 21.04 


51 / 12.83 


num_conversion_2 


T.O. 


T.O. 


T.O. 


T.O. 


num_conversion_3 


43 / 5.40 


43 / 5.02 


43 / 5.78 


43 / 4.99 


num_conversion_4 


52 / 19.03 


53 / 19.81 


T.O. 


52 / 17.45 


num_conversion_5 


47 / 8.63 


47 / 7.87 


T.O. 


47 / 7.72 





Results ( 
MathS AT- noEQ-noBB 


num. of queries / execution time) 
Smtlnterpol iPrincess Interpolating 


;OpenSMT 


byte_add_l 




9 / 1.60 


9 / 46.48 


T.O. 


1 / 0.073 


byte_add_2 




13 / 3.03 


9 / 48.37 


T.O. 


1 / 0.073 


byte_add_3 




52 / 111.89 


ERR 


T.O. 


BAD 


byte_add_4 




28 / 44.19 


ERR 


T.O. 


BAD 


jain_l 




T.O. 


7 / 2.15 


8 / 23.44 


BAD 


jain_2 




T.O. 


BAD 


6 / 20.12 


BAD 


jain_4 




T.O. 


7 / 2.93 


9 / 55.05 


BAD 


jain_5 




42 / 0.81 


BAD 


T.O. 


BAD 


jain_6 




T.O. 


BAD 


7 / 28.96 


BAD 


jain_7 




T.O. 


BAD 


T.O. 


BAD 


num_conversion 


.1 


51 / 11.44 


BAD 


T.O. 


BAD 


num_conversion 


.2 


T.O. 


ERR 


T.O. 


BAD 


num_conversion 


.3 


43 / 5.36 


ERR 


T.O. 


BAD 


num_conversion 


.4 


60 / 37.86 


BAD 


T.O. 


BAD 


num_conversion 


.5 


47 / 8.10 


ERR 


T.O. 


BAD 



Key: T.O.: time-out (300 seconds); ERR: internal error/crash of the interpolating solver; BAD: wrong 
interpolant produced. 



checking algorithm of McMillan [McM03] , and applied it to the verification of some transi- 
tion systems generated from simple sequential C programs, using LA(7L) as a background 
theoryEl The benchmarks have been taken from the literature on £„4(Z)-related inter- 
polation procedures jJCG08( IGrillj . We have then run this implementation using each 
of the solvers above as interpolation engines, and compared the results in terms of num- 
ber of instances solved, time spent in computing interpolants, and number of calls to the 
interpolating solvers. For MathSAT, besides the two configurations MathSAT-modEq 
and MathSAT-ceil described in the previous section, we have also tested additional con- 
figurations obtained by disabling some of the layers of the £.4,(Z)-solver described in §2.21 
MathSAT-noEQ in which we disabled the equality elimination module, MathSAT-noBB 
in which we disabled the internal branch and bound module, and MathSAT-noEQ-noBB 
in which we disabled both. 



'Both the implementation and the benchmarks are available upon request. 
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The results are reported in Table [TJ They clearly show that both MathSAT-ceil 
and MathSAT-modEq outperform the other tools also when applied in a model checking 
context. Moreover, it is interesting to observe the following: 

• for these particular benchmarks, MathSAT-modEq and MathSAT-ceil seem to be 
substantially equivalent: the only significant difference is in the num_conversion_4 bench- 
mark, in which MathSAT-ceil leads to a slightly faster convergence, requiring one in- 
ter ation less; 

• the equality elimination layer seems to be very important, and disabling it leads to a 
dramatic decrease in performance; 

• somewhat surprisingly, the decrease in performance due to the disabling of the equality 
elimination module can be mitigated by disabiling also the internal branch and bound 
module. We attribute this to the different "quality" of the interpolants generated, which 
seems to be somehow "better" for MathSAT-noEq-noBB than for MathSAT-noEQ. 
However, we remark that the notion of "quality" of interpolants is still vague and un- 
clear, and in particular we are not aware of any satisfactory characterization of it in the 
literature. Investigating the issue more in depth could be part of interesting future work. 

6. Related Work 

The general algorithm for interpolation in SMT(T) was given by McMillan in |McM05j . 
together with algorithms for sets of literals in the theories SUJ-, CA(Q) and their combina- 
tion. Algorithms for other theories and/or alternative approaches are presented in jRSSlOt 
IYM051 IKW071 IKMZ06[JCGS10l IJCG081 ILT081 lFGG+091 iGKTMl IBKRWIOl IKLRlOj . In 
particular, [CGS1CH lFGG + 09[ IGKT09] explicitly focus on building efficient interpolation 
procedures on top of state-of-the-art SMT solvers. Efficient interpolation algorithms for the 
Difference Logic and Unit-Two- Variables-Per-Inequality fragments of LA(^) are given in 
[CGSlOj . Some preliminary work on interpolation on the theory of fixed- width bit-vectors is 
presented in (KW071 iGrillj . As regards interpolation in the full £*4(Z), McMillan showed 
m |McM05| that it is in general not possible to obtain quantifier-free interpolants (starting 
from a quantifier-free input) in the standard signature of CA(Z) (consisting of Boolean 
connectives, integer constants and the symbols +, •, <,=). By extending the signature to 
contain modular equalities (or, equivalently, divisibility predicates) it is possible to compute 
quantifier-free CA{1) interpolants by means of quantifier elimination, which is however pro- 
hibitively expensive in general, both in theory and in practice. Using modular equalities, 
Jain et al. |JCG08] developed polynomial-time interpolation algorithms for linear equations 
and disequations and for linear modular equations. A similar algorithm was also proposed 
in [LT08 . The work in [BKRW10] was the first to present an interpolation algorithm for 
the full CA(Z) (augmented with divisibility predicates) not based on quantifier elimination. 
Finally, an alternative algorithm, exploiting efficient interpolation procedures for £A(Q) 
and for linear equations in CA(Z), has been recently presented in [KLRlOj . 

7. Conclusions 

In this article, we have presented a novel interpolation algorithm for £A(7i) that allows for 
producing interpolants from arbitrary cutting-plane proofs without the need of performing 
quantifier elimination. We have also shown how to exploit this algorithm, in combination 
with other existing techniques, in order to implement an efficient interpolation procedure 
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on top of a state-of-the-art SMT(£.A(Z))-solver, with almost no overhead in search, and 
with up to orders of magnitude improvements - both in execution time and in formula size 
- wrt. existing techniques for computing interpolants from arbitrary cutting-plane proofs. 
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